From 9f6be3ba3d21582ce2bc0e2934e8bc3c71b18b38 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 17 Mar 2020 09:34:59 +0100 Subject: standard: Fix #79329 get_headers() silently truncates after a null byte CVE-2020-7066 exif: Fix #79282 Use-of-uninitialized-value in exif CVE-2020-7064 use oracle client library version 19.6 (18.5 on EL-6) --- php-bug79282.patch | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++++ php-bug79329.patch | 54 +++++++++++++++++++++++++++ php71.spec | 17 ++++++++- 3 files changed, 176 insertions(+), 2 deletions(-) create mode 100644 php-bug79282.patch create mode 100644 php-bug79329.patch diff --git a/php-bug79282.patch b/php-bug79282.patch new file mode 100644 index 0000000..0ea2bae --- /dev/null +++ b/php-bug79282.patch @@ -0,0 +1,107 @@ +From 8577fa5891220dac40d42b2f745fa159dcd871ad Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 15 Mar 2020 17:26:00 -0700 +Subject: [PATCH] Fixed bug #79282 + +(cherry picked from commit 41f66e2a2cfd611e35be5ac3bf747f0b56161216) +--- + ext/exif/exif.c | 7 ++++++- + ext/exif/tests/bug79282.phpt | 15 +++++++++++++++ + 2 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 ext/exif/tests/bug79282.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 406fee4ff4..9130ceaf6d 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3243,6 +3243,11 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf, + { + unsigned exif_value_2a, offset_of_ifd; + ++ if (length < 2) { ++ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Missing TIFF alignment marker"); ++ return; ++ } ++ + /* set the thumbnail stuff to nothing so we can test to see if they get set up */ + if (memcmp(CharBuf, "II", 2) == 0) { + ImageInfo->motorola_intel = 0; +@@ -3395,7 +3400,7 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo) + return FALSE; + } + +- sn = exif_file_sections_add(ImageInfo, marker, itemlen+1, NULL); ++ sn = exif_file_sections_add(ImageInfo, marker, itemlen, NULL); + Data = ImageInfo->file.list[sn].data; + + /* Store first two pre-read bytes. */ +diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt +new file mode 100644 +index 0000000000..7b7e365657 +--- /dev/null ++++ b/ext/exif/tests/bug79282.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #79282: Use-of-uninitialized-value in exif ++--FILE-- ++ ++--EXPECTF-- ++Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d ++ ++Warning: exif_read_data(): File structure corrupted in %s on line %d ++ ++Warning: exif_read_data(): Invalid JPEG file in %s on line %d ++bool(false) +From ad05ad4dbafc29dd23828760d4bfa2be12ccbb1c Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 15 Mar 2020 17:55:28 -0700 +Subject: [PATCH] Fix test + +(cherry picked from commit 2c081b7e269d0f63cd9d60a40997f18b5cf793be) +--- + ext/exif/tests/bug79282.phpt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt +index 7b7e365657..df91127c9c 100644 +--- a/ext/exif/tests/bug79282.phpt ++++ b/ext/exif/tests/bug79282.phpt +@@ -7,7 +7,7 @@ var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg')); + + ?> + --EXPECTF-- +-Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d ++Warning: exif_read_data(): Missing TIFF alignment marker in %s on line %d + + Warning: exif_read_data(): File structure corrupted in %s on line %d + +From b42b6d0ff774fdced1155cb0c721d91914d619f5 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 17 Mar 2020 07:23:32 +0100 +Subject: [PATCH] fix test + +--- + ext/exif/tests/bug79282.phpt | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt +index df91127c9c..142cf28a6c 100644 +--- a/ext/exif/tests/bug79282.phpt ++++ b/ext/exif/tests/bug79282.phpt +@@ -7,9 +7,9 @@ var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg')); + + ?> + --EXPECTF-- +-Warning: exif_read_data(): Missing TIFF alignment marker in %s on line %d ++Warning: exif_read_data(%s): Missing TIFF alignment marker in %s on line %d + +-Warning: exif_read_data(): File structure corrupted in %s on line %d ++Warning: exif_read_data(%s): File structure corrupted in %s on line %d + +-Warning: exif_read_data(): Invalid JPEG file in %s on line %d ++Warning: exif_read_data(%s): Invalid JPEG file in %s on line %d + bool(false) diff --git a/php-bug79329.patch b/php-bug79329.patch new file mode 100644 index 0000000..1dedb01 --- /dev/null +++ b/php-bug79329.patch @@ -0,0 +1,54 @@ +From b7b9302660a23a67285e204bc3d7fcf6ba7f6533 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Tue, 17 Mar 2020 07:25:12 +0100 +Subject: [PATCH] Fix bug #79329 - get_headers should not accept \0 + +From 0d139c5b94a5f485a66901919e51faddb0371c43 +--- + ext/standard/url.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/standard/url.c b/ext/standard/url.c +index 0eac03ee0a..39e5b1b2c2 100644 +--- a/ext/standard/url.c ++++ b/ext/standard/url.c +@@ -660,7 +660,7 @@ PHP_FUNCTION(get_headers) + zval *zcontext = NULL; + php_stream_context *context; + +- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|lr!", &url, &url_len, &format, &zcontext) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|lr!", &url, &url_len, &format, &zcontext) == FAILURE) { + return; + } + +From 03471e31c9b467d1d8d944e44fa009ef247e81bd Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 15 Mar 2020 19:35:26 -0700 +Subject: [PATCH] [ci skip] Update NEWS + +(cherry picked from commit c8d21d7728109b0f911033c098cfaeb7438ba1d5) +--- + NEWS | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/NEWS b/NEWS +index 4233a530c1..f0bec6aa69 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,16 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.2.29 ++ ++- Core: ++ . Fixed bug #79329 (get_headers() silently truncates after a null byte) ++ (CVE-2020-7066) (cmb) ++ ++- EXIF: ++ . Fixed bug #79282 (Use-of-uninitialized-value in exif) (CVE-2020-7064) ++ (Nikita) ++ + Backported from 7.2.28 + + - DOM: diff --git a/php71.spec b/php71.spec index 10b81db..07e33d0 100644 --- a/php71.spec +++ b/php71.spec @@ -34,7 +34,7 @@ %endif %global oraclelib 18.1 %else -%global oraclever 19.5 +%global oraclever 19.6 %global oraclelib 19.1 %endif @@ -118,7 +118,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 5%{?dist} +Release: 6%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -189,6 +189,8 @@ Patch208: php-bug79037.patch Patch209: php-bug77569.patch Patch210: php-bug79221.patch Patch211: php-bug79082.patch +Patch212: php-bug79282.patch +Patch213: php-bug79329.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -1056,6 +1058,8 @@ support for JavaScript Object Notation (JSON) to PHP. %patch209 -p1 -b .bug77569 %patch210 -p1 -b .bug79221 %patch211 -p1 -b .bug79082 +%patch212 -p1 -b .bug79282 +%patch213 -p1 -b .bug79329 # Fixes for tests %if 0%{?fedora} >= 25 || 0%{?rhel} >= 6 @@ -2130,6 +2134,15 @@ EOF %changelog +* Tue Mar 17 2020 Remi Collet - 7.1.33-6 +- standard: + Fix #79329 get_headers() silently truncates after a null byte + CVE-2020-7066 +- exif: + Fix #79282 Use-of-uninitialized-value in exif + CVE-2020-7064 +- use oracle client library version 19.6 (18.5 on EL-6) + * Tue Feb 18 2020 Remi Collet - 7.1.33-5 - dom: Fix #77569 Write Access Violation in DomImplementation -- cgit